After switching to Telus Optik, I wanted to take advantage of Telus IPv6 support, using my Ubiquiti Edgerouter Lite. After a lot of googling, I was able to put enough pieces together to get full IPv6 working across my network. This configuration will work with EdgeOS 1.9.0, and should work with versions of EdgeOS going back at least to 1.7.0.
Note: I am running my Edgerouter with eth0 connected to WAN, which is connected to the Telus router, in bridge mode. The Edgerouter’s eth1 is connected to LAN, and eth2 is connected to WLAN (a wireless AP). There are a few peculiarities to the way Telus provides IPv6 addresses that make standard router configurations problematic. It’s worthwhile to read this comment from a Telus employee:
“Now if you want to use your own router, you can do what you mentioned by using the port 1 bridge mode on the Actiontec and connecting your device into this. It will work fine, however there are a few issues with a majority of 3rd party devices. In order for it to work your device must:
1. Only request a dhcp6-pd (So only send IA-PD in the dhcp6 solicit message). This is what the Actiontecs actually do.
2. If the device does request both an IA-NA, and an IA-PD in the solicit message, then it must conform to RFC 7550. We are not using IA-NA so in our dhcp Advertise message there will be a NoAddrAvail message for the IA-NA, and a prefix for the IA-PD.
#2 is where most of the 3rd party devices have issues. They don’t handle this case and will usually reject the dhcp advertise message that is sent down and just go into and endless solicit loop.”
If your Edgerouter isn’t configured to “only request a dhcp6-pd” and not request an IA-NA, your router’s CPU usage will jump to 100% as the dhcp6-pd log is flooded with denied IA-NA messages. To get around this, you MUST set the Edgerouter WAN interface’s dhcpv6-pd option to “prefix-only”.
Also, if you are running your LAN (local ports) in bridged mode, you don’t assign IPv6 addresses to your ethernet ports. Instead, you only assign an IPv6 address to your bridge port. If you assign IPv6 addresses to your ethernet ports when they are bridged, your Edgerouter will get an IPv6 address, and it will be able to ping IPv6 addresses on the WAN, but no IPv6 traffic will get out from the LAN to the WAN. This cost me a lot of lost time as I tried to figure out why things weren’t working.
Before you go any further, make a backup of your current configuration! This will give you a way to roll back your changes. Changes must be made from the EdgeRouter CLI, in configure
mode.
Here are the commands to issue, assuming eth0 is WAN, eth1 and eth2 are bridged LAN, and br0 is the bridge:
set interfaces ethernet eth0 dhcpv6-pd prefix-only set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface br0 prefix-id :0 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface br0 service slaac set interfaces ethernet eth0 ipv6 router-advert managed-flag true set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1 commit
Give your EdgeRouter some time, as obtaining an IPv6 address is not always instantaneous. Eventually, your EdgeRouter dashboard should show an IPv6 address (as well as an IPv4 address, at least until you turn IPv4 off) attached to your bridge interface:
Edit – October 2017: If you’re not using your EdgeRouter in bridge mode (and I highly recommend not using your EdgeRouter in bridge mode, it really does slow down throughput), just replace the instances of ‘br0’ in the sample code above with the appropriate ‘eth<n>’.
Because IPv6 gives every device a (theoretically) routable address, you really should set up some firewall rules on the router. There is a basic ruleset that is widely available online, and which will provide you with some basic protection. To set this up, enter these commands:
set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ipv6-name WAN6_IN default-action drop set firewall ipv6-name WAN6_IN description "IPv6 packets from the internet to LAN and WAN" set firewall ipv6-name WAN6_IN enable-default-log set firewall ipv6-name WAN6_IN rule 10 action accept set firewall ipv6-name WAN6_IN rule 10 state established enable set firewall ipv6-name WAN6_IN rule 10 state related enable set firewall ipv6-name WAN6_IN rule 10 description "Allow established and related packets" set firewall ipv6-name WAN6_IN rule 20 action drop set firewall ipv6-name WAN6_IN rule 20 log enable set firewall ipv6-name WAN6_IN rule 20 state invalid enable set firewall ipv6-name WAN6_IN rule 20 description "Drop invalid packets" set firewall ipv6-name WAN6_IN rule 30 action accept set firewall ipv6-name WAN6_IN rule 30 log enable set firewall ipv6-name WAN6_IN rule 30 protocol icmpv6 set firewall ipv6-name WAN6_IN rule 30 description "Allow ICMPv6 packets" set firewall ipv6-name WAN6_LOCAL default-action drop set firewall ipv6-name WAN6_LOCAL description "IPv6 packets from internet to router" set firewall ipv6-name WAN6_LOCAL enable-default-log set firewall ipv6-name WAN6_LOCAL rule 10 action accept set firewall ipv6-name WAN6_LOCAL rule 10 state established enable set firewall ipv6-name WAN6_LOCAL rule 10 state related enable set firewall ipv6-name WAN6_LOCAL rule 10 description "Allow established and related packets" set firewall ipv6-name WAN6_LOCAL rule 20 action drop set firewall ipv6-name WAN6_LOCAL rule 20 log enable set firewall ipv6-name WAN6_LOCAL rule 20 state invalid enable set firewall ipv6-name WAN6_LOCAL rule 20 description "Drop invalid packets" set firewall ipv6-name WAN6_LOCAL rule 30 action accept set firewall ipv6-name WAN6_LOCAL rule 30 log enable set firewall ipv6-name WAN6_LOCAL rule 30 protocol icmpv6 set firewall ipv6-name WAN6_LOCAL rule 30 description "Allow ICMPv6 packets" set firewall ipv6-name WAN6_LOCAL rule 40 action accept set firewall ipv6-name WAN6_LOCAL rule 40 description "allow DHCPv6 client/server" set firewall ipv6-name WAN6_LOCAL rule 40 destination port 546 set firewall ipv6-name WAN6_LOCAL rule 40 source port 547 set firewall ipv6-name WAN6_LOCAL rule 40 protocol udp set interfaces ethernet eth0 firewall in ipv6-name WAN6_IN set interfaces ethernet eth0 firewall local ipv6-name WAN6_LOCAL commit
You can test IPv6 connectivity using ping6 (Google’s IPv6 DNS server 2001:4860:4860::8888 is a good test), or using the IPv6 test site. You should get a score of 10/10.
If anything went wrong, you can always return to your pre-IPv6 configuration by rebooting the router. If you are satisfied that the settings are working, save them using the save
command.
Are you on DSL or GPON? I’ve been trying to get IPv6 working with the ERLite3 connected directly to the ONT with GPON rather than bridging the actiontec and the same configuration doesn’t appear to work nor does dhcpv6-stateless instead of slaac.
I am connected to Telus fibre (Optik) via a bridged port on the Telus router. According to the interwebs, that would be GPON, not DSL. Unsure if I could bypass the Telus-provided router, but in theory a bridged port should be equivalent to running without the Telus router.
Chris,
I’m trying to get this configuration working on my EdgeOS. I’m using an ER-X with firmware v1.9.7, connected to the T3200M, which is set to bridge mode. I can’t seem to get the ER-X to even initiate a dhcpv6-pd request. I’ve run dhcp6c in debug mode to try to troubleshoot the issue. An abbreviated log is at https://pastebin.ca/3862458. The key line I keep seeing is “client6_send: transmit failed: Operation not permitted”. Any ideas on what next steps I can take to debug?
Hi Faisal. This may be an obviously-I-tried-that question, but are you able to get an IPV6 address via DHCP if you connect a device directly to the T3200M’s bridged port?
Is anyone else seeing their IPv6 assignment change every time the Ubiquiti router reboots? This makes it difficult to setup internal servers with static IPs and I haven’t found much information on this. I would expect that if I kept the router offline for a long period of time that it would change but not on every reboot.
Hi Alan. Now I’m curious. I have started tracking my own IPv6 assignments to test this.
To clarify: Are you referring to the router’s address or to the addresses of specific devices on your network?
Hi Chris,
I am talking about the prefix that I get from TELUS. Ubiquiti will always autoconfigure the addresses on the interfaces as per the rules I set so the host part is the same. The network part keeps changing.
I did a bit more testing today and found that it will change even if I issue this command: renew dhcpv6-pd interface ethX. This doesn’t happen every time but seems to happen after a bit of time like 6 min or so. I only tested this once so I don’t know if it is time related for sure. I don’t believe this happens to the Actiontec so I want to start wireshark captures and compare the two devices and how they ask for the IPv6 info.
Confirmed, I am experiencing the same thing as you. My IPv6 prefix from Telus changes on reboot.
It was very slow to obtain a new IPv6 address too – it took between 10 and 20 minutes before any IP check site was able to resolve my IPv6 address.
I have followed all of the directions here and I have IPv6 on all my devices, but I am not getting at IPv6 address for the edge router itself. Is this an issue? When I go to the IPV6 test site, it says everything is OK.
Hi Colin. Where are you looking to see if your EdgeRouter is getting an IPv6 address? I don’t see an IPv6 address on my router’s dashboard, but I do see one for my local network.
When I do an IPV6 check, I can confirm then I am getting an IPv6 address.
I get the same thing. But when I try a IPv6 website, it fails the test.
Is there a log I can pull to see if I can confirm the configuration? I am setting it up as you suggest and it seems to work but there is zero indication it’s doing anything.
I assume eth0 is WAN and eth1 is LAN in your config? Which would imply that the below is correct?
set interfaces ethernet eth0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :0
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 ipv6 router-advert managed-flag true
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
commit
However it just never changes from this
Interface IP Address S/L Description
——— ———- — ———–
eth0 199.x.x.150/22 u/u Internet
eth1 172.16.0.1/23 u/u Local
eth2 192.168.2.1/24 u/D Local 2
lo 127.0.0.1/8 u/u
::1/128
Hi Jason. I am using eth0 for WAN and eth1 for LAN. I have to admit the visibility into what’s going with IPv6 is limited.
However,
show interfaces
on my EdgeRouter displays the following:So it shows I am getting an IPv6 address, and it definitely looks like you aren’t.
When you run the
show interfaces
commands below, what does your output look like?and